Quebec’s Law 25 and Cookies: Not So Cookie Cutter
This article is part of our Law 25 Blog Series, which provides readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act” or the “Act”). To view other blog posts in the series, please visit this page. We have also put together a comprehensive toolkit for organizations looking for resources to understand and ensure that they are compliant with Law 25. This toolkit can be found here.
If you’ve recently visited a new website on your phone or computer, chances are you received a notification informing you that the page uses cookies and you need to decide whether to accept, reject, or manage cookies before you can access the page. Cookies are small text files that websites send to your device to remember certain information about you, such as what you put in your shopping cart, what your shopping preferences are, when you last visited the site, how long you were on the site, or your login information.
Historically, the use of cookies has fallen between the cracks of privacy and security laws. This changed when the European Union (EU) introduced the General Data Protection Regulation (GDPR)[1] and ePrivacy Directive[2] to regulate the use of cookies. Cookie banners began to proliferate on the internet. In Canada, Quebec’s overhaul of its privacy legislation is closing the gap further. While there may be some openness in the interpretation of the amended legislation, the practices in the EU lend some insight.
Quebec’s Law 25
On September 22, 2023, a majority of the amendments enacted by An Act to Modernize Legislation Provisions Respecting the Protection of Personal Information (“Law 25”, previously known as Bill 64)[3] came into effect. Law 25 is Canada’s latest and most significant privacy legislation development. Quebec’s amended privacy legislation heralds a significant shift in modernizing Canada’s wider privacy landscape. Law 25 introduces stringent obligations on organizations that collect, hold, use, or communicate to third parties any personal information, and increases the penalties for non-compliance, bringing it closer in line with the GDPR.
Privacy by Default and Design
A key privacy requirement under the new regime is privacy by default and by design. Law 25 speaks to this requirement in two provisions.
First, Section 9.1 requires that “any person carrying on an enterprise who collects personal information when offering to the public a technological product or service having privacy settings must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned.”[4] Importantly, the legislation specifically states that this requirement does not apply to “browser cookies”.
Second, Section 8.1 creates new obligations for businesses that collect personal information using technology that includes functions allowing the person to be “identified, located, or profiled”. Law 25 defines “profiling” as “collecting or using personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.”[5] Businesses that use such technology must first inform individuals of the following:[6]
- the use of the technology; and
- the means available to activate the functions that allow a person to be identified, located, or profiled.
The use of “activate” appears to be deliberate. In an earlier draft of Bill 64, the obligation was to inform individuals of the means available to “deactivate” the function. The revised language implies that the technology must be deactivated by default.
What does this mean for cookies?
Section 9.1 is the only provision in Law 25 that mentions cookies. Section 8.1 is silent on how the obligation to deactivate profiling technology applies to cookies. This raises a question: How do we harmonize the two provisions? On the one hand, Section 9.1 does not require cookies to be automatically set at the highest level of privacy by default. On the other hand, Section 8.1 implicitly requires that identifying/locating/profiling technology be deactivated by default.
One possibility is that the two provisions can be harmonized if we differentiate between “essential” cookies and “non-essential” cookies. As the names suggest, essential cookies are necessary for a website to function correctly, while non-essential cookies are not required for the website to function. Blocking an essential cookie would typically break some capability of the website, and they are not typically intended to collect information that identifies, locates, or profiles individuals.
Examples of Essential Cookies | Examples of Non-Essential Cookies |
Session cookies: Tracks a user’s activities on a website (e.g., adding items to a shopping cart). Authentication cookies: Confirms a user’s identity when the user enters their user ID and password. User-centric security cookies: Detects authentication errors and abuses, such as incorrect login details. Load-balancing cookies: Connects information between a user’s web server and the back-end web server. | Analytics and customization cookies: Collects information to allow website owners to understand how the website is being used. Advertising cookies: Customizes a user’s ad experience on websites based on their browsing history. Social networking tracking cookies: Allows a user to share content on social media and links the activity between a website and a third-party sharing platform. |
In the EU, the ePrivacy Directive requires businesses to obtain user consent before the use of non-essential cookies, but does not require businesses to obtain user consent for the use of essential cookies.
If we consider this in the context of Law 25, Section 9.1 and Section 8.1 both require privacy by design and default. Products and services must have the highest level of privacy by design, which means that all tracking features must be turned “off” by default.
Essential cookies used as connection indicators would only be excluded from the obligations under both Section 9.1 and Section 8.1 if they are not used to identify, locate, or profile individuals. They are excluded from Section 9.1 because Section 9.1 expressly states that privacy by design and default does not apply to privacy settings for browser cookies, and they could be excluded from Section 8.1 as long as they do not operate to identify/locate/profile individuals. Non-essential cookies, however, which identify, locate, or profile individual preferences, would need to be deactivated by default to meet the requirements under Section 9.1 and Section 8.1.
With that said, these provisions came into force very recently so there is little information available that speaks to how they might be applied, and as such the incongruity between Section 8.1 and 9.1 could arguably be resolved in another manner. For example, it could be argued that the express exclusion for cookies from the privacy by design requirement in Section 9.1 should take precedence and exempt cookies from the scope of Section 8.1 as well.
Best business practice
The purpose of cookie banners and pop-up messages informing users that the site uses cookies is to increase transparency and give users more control over how websites track and collect their data. While doing business in Quebec, we suggest businesses adopt generally accepted practices when using cookies, which may include:
- Receive users’ consent before the use of any cookies except strictly necessary cookies. An effective method of obtaining cookie consent is through cookie consent banners, which appear as a pop-up or header on the website and inform users about the site’s use of cookies and request consent before allowing users access to the site.
- Users should be provided with the option to customize their cookie preferences or opt-out of certain categories of cookies.
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
- Document and store consent received from users.
- Enable users to withdraw consent as easily as consent was given.
For more information on how to comply with Law 25, McCarthy Tétrault’s Québec Privacy Compliance Toolkit <hyperlink> brings clarity to a number of privacy compliance questions.
[1] General Data Protection Regulation (EU) 2016/679, Recital 30 [GDPR].
[2] GDPR, ePrivacy Directive 2009/136/EC [ePrivacy Directive].
[3] Act Respecting the Protection of Personal Information in the Private Sector, CQRL, c P-39.1, as amended [Amended Private Sector Act].
[4] Amended Private Sector Act, s. 9.1.
[5] Amended Private Sector Act, s. 8.1.
[6] Amended Private Sector Act, s. 8.1.